Ding Qiu,Minghua Yu,Xinye Zhang,Xiaoli Chai

DOI: https://doi.org/10.1109/ISPDS58840.2023.10235370

2023-07-14

Abstract:Log-based anomaly detection is the key to ensuring that today's large-scale distributed systems can function properly. Analyzing log data that records the running status of software systems and quickly and accurately identifying abnormal parts is the primary task of maintaining system and software security and stability. The main contribution of this paper is the presentation of a new model combining LSTM network and variational autoencoder model: LogLVAE. The model includes a data preprocessing phase and an anomaly detection phase. In the data preprocessing phase, the current most efficient online log parsing algorithm, Drain, is used to parse the log data into log templates, and then the log template sequence is divided by the sliding window algorithm. In the anomaly detection phase, the model first uses LSTM to be able to extract semantic features of log sequences by contextual information, then reconstructs the input data by VAE, calculates the reconstruction error using the reconstructed data and the input data, and detects anomalies in log sequences and reports the results to the administrator if the reconstruction error exceeds a predefined threshold. The results of our experiments, which were based on two real log datasets, indicate that LogLVAE outperformed other algorithms in terms of overall performance.

Computer Science

Xianbo Zhang,Jing Zhang,Jicheng Yang,Feng Lin,Chao Wang,Liang Chang,Dongjiang Li

DOI: https://doi.org/10.1109/icpeca56706.2023.10075876

2023-01-01

Abstract:Log data is a valuable resource for understanding system status. Log recording running status for a computer system is commonly used to identify performance issues and malfunctions. Sequential anomaly detection of logs is crucial for building a secure and stable system and is beneficial for the discovery, location, and analysis of system failures. In this paper, we propose a new log sequential anomaly detection method based on natural language processing techniques by the Population Based Training (PBT) algorithm, which can make full use of semantic information in log templates to analyze log sequences. The Part-of-Speech (PoS) weight mechanism is first employed to improve the digital representation quality of the log template in the feature extraction. And then, TextCNN is used to extract noteworthy information in log template vectors. In the sequence log anomaly detection stage, the combination of TextCNN and LSTM neural network can improve the accuracy of log sequential anomaly detection. On the other hand, the proposed method jointly trains the parameters of the PoS weight mechanism and the parameters of the anomaly detection neural network model through the PBT algorithm, which accelerates the model convergence speed and improves the accuracy of the log sequential anomaly detection. Our model has been tested on four data sets and compared with two state-of-the-art models to prove the effectiveness of our model. The experimental results show that, compared with other log anomaly detection methods, the proposed method performs well.

Yuanyuan Fu,Kun Liang,Jian Xu

DOI: https://doi.org/10.1109/tsc.2023.3289488

IF: 11.019

2023-01-01

IEEE Transactions on Services Computing

Abstract:Streaming logs provide valuable information for complex systems in diagnosing system faults or conducting security analysis. Although the log sequence anomaly detection has drawn more and more attention and achieved a satisfactory performance, it remains an extremely difficult task because of several intrinsic challenges including new event occurrences in a continuously evolving environment, making full use of rich dependency hidden in sequential events from the global and local view. To meet these challenges, in this paper, we propose MLog, a hybrid deep neural network for detecting anomalies in log sequences. Specifically, MLog leverages the transformer encoder and a novel event Inverse Document Frequency (IDF) weighted mechanism to obtain a semantic vector for an individual log template. Log sequences represented by sequential template semantic vectors are then fed into a deep neural network combing the Mogrifier Long Short Term Memory (LSTM) with Convolutional Neural Network (CNN) to capture global and local sequential patterns simultaneously. We implement MLog and evaluate it by conducting extensive experiments on two well-known benchmark datasets, HDFS and BGL, from the aspects of detection accuracy and robustness. The results show that MLog outperforms the state-of-the-art approaches and is robust to the evolving logs. To encourage reproducibility, we make the implementation of MLog available.

computer science, information systems, software engineering

Tolga Ergen,Ali Hassan Mirza,Suleyman Serdar Kozat

DOI: https://doi.org/10.1109/TNNLS.2019.2935975

2017-10-25

Abstract:We investigate anomaly detection in an unsupervised framework and introduce Long Short Term Memory (LSTM) neural network based algorithms. In particular, given variable length data sequences, we first pass these sequences through our LSTM based structure and obtain fixed length sequences. We then find a decision function for our anomaly detectors based on the One Class Support Vector Machines (OC-SVM) and Support Vector Data Description (SVDD) algorithms. As the first time in the literature, we jointly train and optimize the parameters of the LSTM architecture and the OC-SVM (or SVDD) algorithm using highly effective gradient and quadratic programming based training methods. To apply the gradient based training method, we modify the original objective criteria of the OC-SVM and SVDD algorithms, where we prove the convergence of the modified objective criteria to the original criteria. We also provide extensions of our unsupervised formulation to the semi-supervised and fully supervised frameworks. Thus, we obtain anomaly detection algorithms that can process variable length data sequences while providing high performance, especially for time series data. Our approach is generic so that we also apply this approach to the Gated Recurrent Unit (GRU) architecture by directly replacing our LSTM based structure with the GRU based structure. In our experiments, we illustrate significant performance gains achieved by our algorithms with respect to the conventional methods.

Signal Processing,Machine Learning

Zhijun Zhao,Chen Xu,Bo Li

DOI: https://doi.org/10.1007/s11265-021-01644-4

2021-02-05

Journal of Signal Processing Systems

Abstract:Abstract Security devices produce huge number of logs which are far beyond the processing speed of human beings. This paper introduces an unsupervised approach to detecting anomalous behavior in large scale security logs. We propose a novel feature extracting mechanism and could precisely characterize the features of malicious behaviors. We design a LSTM-based anomaly detection approach and could successfully identify attacks on two widely-used datasets. Our approach outperforms three popular anomaly detection algorithms, one-class SVM, GMM and Principal Components Analysis, in terms of accuracy and efficiency.

Dan Lv,Nurbol Luktarhan,Yiyong Chen

DOI: https://doi.org/10.3390/s21186125

2021-09-13

Abstract:Enterprise systems typically produce a large number of logs to record runtime states and important events. Log anomaly detection is efficient for business management and system maintenance. Most existing log-based anomaly detection methods use log parser to get log event indexes or event templates and then utilize machine learning methods to detect anomalies. However, these methods cannot handle unknown log types and do not take advantage of the log semantic information. In this article, we propose ConAnomaly, a log-based anomaly detection model composed of a log sequence encoder (log2vec) and multi-layer Long Short Term Memory Network (LSTM). We designed log2vec based on the Word2vec model, which first vectorized the words in the log content, then deleted the invalid words through part of speech tagging, and finally obtained the sequence vector by the weighted average method. In this way, ConAnomaly not only captures semantic information in the log but also leverages log sequential relationships. We evaluate our proposed approach on two log datasets. Our experimental results show that ConAnomaly has good stability and can deal with unseen log types to a certain extent, and it provides better performance than most log-based anomaly detection methods.

Xianbo Zhang,Chao Wang,Jing Zhang,Feng Lin,Zezhou Li

DOI: https://doi.org/10.1109/ddcls55054.2022.9858500

2022-01-01

Abstract:The multivariate time series (MTS) is observed in various fields nowadays so as to monitor the operating status of equipment like server machines, satellites, engines, etc. Tasks like anomaly detection and anomaly pattern classification of MTS, accordingly, are of great importance to fault warning and system stability. Data-driven methods are increasingly becoming prevailing regarding these problems with a huge amount of input information. In this paper, we propose a new architecture where MTS is processed as images and fed into an attention-based CNN-LSTM network (AC-LSTM). CNN-LSTM network is responsible for extracting both spatial and temporal features among and within each dimension of MTS, while the modified attention mechanism helps promote reasonable weight allocations without the introduction of additional parameters. The proposed model firstly gives the result of anomaly detection and makes a further decision on anomaly classifications if the input is detected as an abnormal one. With the modified attention mechanism and the cooperation of CNN and LSTM, experiments on both public datasets and the operation data collected from real-world applications prove the effectiveness and promotion of the proposed model.

Zhuo Lv,Jiahao Li,Cen Chen

DOI: https://doi.org/10.1117/12.3024645

2024-04-03

Abstract:Timely detection of abnormal behavior in power monitoring systems is crucial for system stability. Traditional log anomaly analysis methods have limitations, especially in handling multi-source or multi-dimensional log data. This paper introduces a method named CLSTMlog, which combines Convolutional Neural Network (CNN) and Long Short-Term Memory (LSTM) networks, making the most of CNN's ability to extract local features and LSTM's capability to handle temporal relationships. Experimental results demonstrate that CLSTMlog exhibits a significant improvement in performance on the HDFS and IoT-23 datasets, including higher accuracy and reliability. This method has the potential to enhance the efficiency of log anomaly detection in power monitoring systems and overall system performance.

Computer Science,Engineering

Chunkai Zhang,Xinyu Wang,Hongye Zhang,Hanyu Zhang,Peiyi Han

DOI: https://doi.org/10.1109/tnsm.2021.3125967

2021-12-01

IEEE Transactions on Network and Service Management

Abstract:Anomaly detection for log sequences is a necessary task for system intelligent operation and fault diagnosis. In a log sequence, adjacent logs have the property of local correlation, while long-distance logs have remote dependencies. It is helpful to fully mine these information during modeling for improving the performance of anomaly detection. Meanwhile, there are some redundant information or noise in the log sequence, which has no contribution to the detection, and may even bring negative impact. The existing methods for log sequence anomaly detection do not take the above problems into account when constructing models. In this paper, we propose LSADNET, an unsupervised log sequence anomaly detection network based on local information extraction and globally sparse Transformer model. LSADNET applies multi-layer convolution to capture the local correlation between adjacent logs, and utilizes Transformer to learn the global dependency among long-distance logs. Meanwhile, we propose a globally sparse Transformer model to improve the self-attention mechanism, which can help to retain important information adaptively and eliminate the irrelevant information in the log sequence. In addition, according to the co-occurrence mode of log templates, we put forward the calculation formula of log template transfer value, and apply it to log vectorization. Through sufficient experiments on two public datasets, it is confirmed that LSADNET has better performance than the state-of-art methods.

computer science, information systems

F. Bensalah,N. E. Kamoun,Yassine El Yamani,Jihad Kilani,Youssef Baddi,Yousra Fadili

DOI: https://doi.org/10.1109/WINCOM62286.2024.10655101

2024-07-23

Abstract:Anomaly detection in time series data plays a critical role in various domains, including cybersecurity, industrial monitoring, and financial fraud detection. In recent years, deep learning models have emerged as promising tools for addressing the challenges associated with anomaly detection in sequential data. This study investigates the effectiveness of advanced deep learning models in detecting anomalies within real-world time series datasets. Utilizing a diverse dataset, which encompasses a diverse range of time series data, we evaluate the performance of these models across multiple domains. Our experimental results demonstrate the high accuracy and robustness of the evaluated models in detecting anomalies. These models showcase the ability to capture complex temporal patterns and discern anomalies effectively, thereby showcasing their potential for real-world applications. Additionally, we discuss future research directions, emphasizing the exploration of alternative approaches for real-time anomaly detection and the optimization of models for deployment in production environments.

Computer Science

Van-Hoang Le,Hongyu Zhang

DOI: https://doi.org/10.1109/ase51524.2021.9678773

2021-11-01

Abstract:Software systems often record important runtime information in system logs for troubleshooting purposes. There have been many studies that use log data to construct machine learning models for detecting system anomalies. Through our empirical study, we find that existing log-based anomaly detection approaches are significantly affected by log parsing errors that are introduced by 1) OOV (out-of-vocabulary) words, and 2) semantic misunderstandings. The log parsing errors could cause the loss of important information for anomaly detection. To address the limitations of existing methods, we propose NeuralLog, a novel log-based anomaly detection approach that does not require log parsing. NeuralLog extracts the semantic meaning of raw log messages and represents them as semantic vectors. These representation vectors are then used to detect anomalies through a Transformer-based classification model, which can capture the contextual information from log sequences. Our experimental results show that the proposed approach can effectively understand the semantic meaning of log messages and achieve accurate anomaly detection results. Overall, NeuralLog achieves F1-scores greater than 0.95 on four public datasets, outperforming the existing approaches.

Lin, Zaichao

DOI: https://doi.org/10.1007/s11280-023-01174-y

2023-06-14

World Wide Web

Abstract:With versatility and complexity of computer systems, warning and errors are inevitable. To effectively monitor system's status, system logs are critical. To detect anomalies in system logs, deep learning is a promising way to go. However, abnormal system logs in the real world are often difficult to collect, and effectively and accurately categorize the logs is an even time-consuming project. Thus, the data incompleteness is not conducive to the deep learning for this practical application. In this paper, we put forward a novel semi-supervised dual branch model that alleviate the need for large scale labeled logs for training a deep system log anomaly detector. Specifically, our model consists of two homogeneous networks that share the same parameters, one is called weak augmented teacher model and the other is termed as strong augmented student model. In the teacher model, the log features are augmented with small Gaussian noise, while in the student model, the strong augmentation is injected to force the model to learn a more robust feature representation with the guidance of teacher model provided soft labels. Furthermore, to further utilize unlabeled samples effectively, we propose a flexible label screening strategy that takes into account the confidence and stability of pseudo-labels. Experimental results show favorable effect of our model on prevalent HDFS and Hadoop Application datasets. Precisely, with only 30% training data labeled, our model can achieve the comparable results as the fully supervised version.

computer science, information systems, software engineering

Yue Tan,Chunjing Hu,Kuan Zhang,Kan Zheng,Ethan A. Davis,Jae Sung Park

DOI: https://doi.org/10.48550/arXiv.2006.03193

2020-06-05

Abstract:Anomaly detection for non-linear dynamical system plays an important role in ensuring the system stability. However, it is usually complex and has to be solved by large-scale simulation which requires extensive computing resources. In this paper, we propose a novel anomaly detection scheme in non-linear dynamical system based on Long Short-Term Memory (LSTM) to capture complex temporal changes of the time sequence and make multi-step predictions. Specifically, we first present the framework of LSTM-based anomaly detection in non-linear dynamical system, including data preprocessing, multi-step prediction and anomaly detection. According to the prediction requirement, two types of training modes are explored in multi-step prediction, where samples in a wall shear stress dataset are collected by an adaptive sliding window. On the basis of the multi-step prediction result, a Local Average with Adaptive Parameters (LAAP) algorithm is proposed to extract local numerical features of the time sequence and estimate the upcoming anomaly. The experimental results show that our proposed multi-step prediction method can achieve a higher prediction accuracy than traditional method in wall shear stress dataset, and the LAAP algorithm performs better than the absolute value-based method in anomaly detection task.

Signal Processing,Machine Learning

Chao Wang,Jing Zhang,Dongjiang Li,Liang Chang,Feng Lin,Xianbo Zhang

DOI: https://doi.org/10.1109/ICCT56141.2022.10072770

2022-11-11

Abstract:System logs are widely used by engineers to record runtime status in the information technology (IT) field. The sequential anomaly detection of logs is crucial for building a secure and stable system and is beneficial for the discovery, location, and analysis of system failures. Conventional manual log anomaly detection suffers high costs and unsustainable development. Thus, automatic methods based on Natural Language Processing (NLP) technology are proposed to improve the accuracy and efficiency of log anomaly detection. In this paper, we propose a new log anomaly detection model, named LogPS. LogPS utilizes the Part-of-Speech (PoS) technique to extract semantic information from log messages. By allocating the learned PoS-based weights to different tokens in a log template, LogPS can improve the representation quality of the log template vector. In the final anomaly detection stage, we treat a system log as a natural language sequence and build a Bidirectional Long Short-Term Memory (BiLSTM) neural network as the LogPS detection model. Therefore, LogPS can capture sufficient and contextual information from input log sequences from the forward pass and the backward pass. And LogPS can automatically learn log patterns and detect anomalies. The effectiveness of our model is tested on three datasets and is compared with other state-of-the-art models. The experimental results show that, compared with other log anomaly detection methods, the proposed LogPS performs well.

Computer Science

Zezhou Li,Jing Zhang,Xianbo Zhang,Feng Lin,Chao Wang,Xingye Cai

DOI: https://doi.org/10.1109/seai55746.2022.9832400

2022-01-01

Abstract:Logs are widely used in IT industry and the anomaly detection of logs is essential to identify the running status of systems. Conventional methods solving this problem require sophisticated rule-based regulations and intensive labor input. In this paper, we propose a new model based on natural language processing techniques. In order to modify the feature extraction and to improve the vector quality of log templates, Part-of-Speech (PoS) and Named Entity Recognition (NER) are employed in our model, which leads to the less involvement of regulation-based rule and a modification of the template vector thanks to the weight vector by NER. The PoS property of each token in the template is firstly analyzed, which also reduces labor involvement and helps for better weight allocation. The weight investigation on tokens of the template is introduced to modify the template vector. And the final detection based on the modified vector of templates is realized by deep neural networks (DNNs). The effectiveness of our model is tested on three datasets, and compared with two state-of-the-art models. The evaluation results prove that our model achieves better log anomaly detection.

Yuyuan Chang,Nurbol Luktarhan,Jingru Liu,Qinglin Chen

DOI: https://doi.org/10.3390/electronics12081877

IF: 2.9

2023-04-17

Electronics

Abstract:The scale of the system and network applications is expanding, and higher requirements are being put forward for anomaly detection. The system log can record system states and significant operational events at different critical points. Therefore, using the system log for anomaly detection can help with system maintenance and avoid unnecessary loss. The system log has obvious timing characteristics, and the execution sequence of the system log has a certain dependency relationship. However, sometimes the length of sequence dependence is long. To handle the problem of longer sequence logs in anomaly detection, this paper proposes a system log anomaly detection method based on efficient channel attention and temporal convolutional network (ETCNLog). It builds a model by treating the system log as a natural language sequence. To handle longer sequence logs more effectively, ETCNLog uses the semantic and timing information of logs. It can automatically learn the importance of different log sequences and detect hidden dependencies within sequences to improve the accuracy of anomaly detection. We run extensive experiments on the actual public log dataset BGL. The experimental results show that the Precision and F1-score of ETCNLog reach 98.15% and 98.21%, respectively, both of which are better than the current anomaly detection methods.

engineering, electrical & electronic,computer science, information systems,physics, applied

Weibin Meng,Ying Liu,Yichen Zhu,Shenglin Zhang,Dan Pei,Yuqing Liu,Yihao Chen,Ruizhi Zhang,Shimin Tao,Pei Sun,Rong Zhou

DOI: https://doi.org/10.24963/ijcai.2019/658

2019-08-01

Abstract:Recording runtime status via logs is common for almost every computer system, and detecting anomalies in logs is crucial for timely identifying malfunctions of systems. However, manually detecting anomalies for logs is time-consuming, error-prone, and infeasible. Existing automatic log anomaly detection approaches, using indexes rather than semantics of log templates, tend to cause false alarms. In this work, we propose LogAnomaly, a framework to model unstructured a log stream as a natural language sequence. Empowered by template2vec, a novel, simple yet effective method to extract the semantic information hidden in log templates, LogAnomaly can detect both sequential and quantitive log anomalies simultaneously, which were not done by any previous work. Moreover, LogAnomaly can avoid the false alarms caused by the newly appearing log templates between periodic model retrainings. Our evaluation on two public production log datasets show that LogAnomaly outperforms existing log-based anomaly detection methods.

Ang Zhang,Xiaoyong Zhao,Lei Wang

DOI: https://doi.org/10.1109/itnec52019.2021.9587207

2021-10-15

Abstract:The purpose of anomaly detection is to detect data that deviates from the expected, and is widely used in intrusion detection, data preprocessing and so on.For data anomaly detection, we propose a data anomaly detection algorithm based on convolutional neural network and Encoder-Decoder architecture CNN-LSTMED (Convolutional Neural Networks Long Short-Term Encoder-Decoder).First,we use the convolutional neural network to encode the time series data to obtain the encoded sequence,and use the features extracted from the sequence as the input of the nonlinear model long short-term memory network LSTM (Long Short-Term Memory) to decode and output the decoded sequence. Finally, the reconstruction error is calculated and the threshold is set to determine the abnormal point. Through experimental comparison with GRUED (Gated Recurrent Neural Encoder-Decoder), LSTMED (Long Short-Term Memory Encoder-Decoder) ,and other algorithms on the KDD99 data set and credit card fraud data set,it turns out that our algorithm has strong robustness and accuracy .

Xingfang Wu,Heng Li,Foutse Khomh

2024-10-01

Abstract:Log data are generated from logging statements in the source code, providing insights into the execution processes of software applications and systems. State-of-the-art log-based anomaly detection approaches typically leverage deep learning models to capture the semantic or sequential information in the log data and detect anomalous runtime behaviors. However, the impacts of these different types of information are not clear. In addition, existing approaches have not captured the timestamps in the log data, which can potentially provide more fine-grained temporal information than sequential information. In this work, we propose a configurable transformer-based anomaly detection model that can capture the semantic, sequential, and temporal information in the log data and allows us to configure the different types of information as the model's features. Additionally, we train and evaluate the proposed model using log sequences of different lengths, thus overcoming the constraint of existing methods that rely on fixed-length or time-windowed log sequences as inputs. With the proposed model, we conduct a series of experiments with different combinations of input features to evaluate the roles of different types of information in anomaly detection. When presented with log sequences of varying lengths, the model can attain competitive and consistently stable performance compared to the baselines. The results indicate that the event occurrence information plays a key role in identifying anomalies, while the impact of the sequential and temporal information is not significant for anomaly detection in the studied public datasets. On the other hand, the findings also reveal the simplicity of the studied public datasets and highlight the importance of constructing new datasets that contain different types of anomalies to better evaluate the performance of anomaly detection models.

Software Engineering,Artificial Intelligence,Machine Learning

Qiaozheng Wang,Xiuguo Zhang,Xuejie Wang,Zhiying Cao

DOI: https://doi.org/10.3390/e24010069

2021-12-30

Abstract:The log messages generated in the system reflect the state of the system at all times. The realization of autonomous detection of abnormalities in log messages can help operators find abnormalities in time and provide a basis for analyzing the causes of abnormalities. First, this paper proposes a log sequence anomaly detection method based on contrastive adversarial training and dual feature extraction. This method uses BERT (Bidirectional Encoder Representations from Transformers) and VAE (Variational Auto-Encoder) to extract the semantic features and statistical features of the log sequence, respectively, and the dual features are combined to perform anomaly detection on the log sequence, with a novel contrastive adversarial training method also used to train the model. In addition, this paper introduces the method of obtaining statistical features of log sequence and the method of combining semantic features with statistical features. Furthermore, the specific process of contrastive adversarial training is described. Finally, an experimental comparison is carried out, and the experimental results show that the method in this paper is better than the contrasted log sequence anomaly detection method.